The human factor

– On December 18. 2013, Target, the second largest discount retailer company in USA, reported that they were investigating a major data breach potentially involving millions of customer credit card records. Additional details were reported over the next weeks, and on January 10. 2014, Target reported that the total number of affected customers may be as large as 110 million.

A sophisticated malware attack – or not?

How could this happen? Was this an attack from really advanced hackers using malware with capabilities not previously seen? What about the security infrastructure at Target and its partners. Were there vulnerabilities present that hackers could take advantage of?

The information from Target stated that they had been the victim of a “very sophisticated crime”. Target was certified to meet the security standard for the payment card industry, but the attack was so advanced that it had been able to circumvent these measures.

A couple of recent events gave us added insight about this case. In spite of Targets assertion that the hackers were highly technical, the security firm McAfee concluded that the attack was “extremely unimpressive and unremarkable”. The attackers used easily modified off-the shelf malware and common methods to hide it. They bought this unsophisticated piece of software from a cybercrime community that specializes in creating customized malware to perform such attacks. But in essence this does not differ from the mainstream of malware that we here at Norman and other security companies face every day.

A solid security infrastructure is not enough!

An article in Bloomberg BusinessWeek revealed that Target indeed was prepared for such an attack. That is at least from a technical standpoint. They had invested heavily in the best anti-malware infrastructure available, and had security experts placed on several locations around the globe. But there is always a human factor involved…

It appears that the attack started as early as November 30th. The intruders were able to install malware and set it into action. At this point the Targets alert systems worked the way they should. The attack was detected and reported exactly as planned.

The problem was that no one was present to take appropriate action. Or – if they were present, they did not react appropriately. Rather than stop the malicious action, which they could have done at that point, they let millions of records with credit card data leave the secrecy of their systems.

On December 2nd, an updated version of the malware was installed. Again the security infrastructure correctly gave an alert, and again nobody took action.